b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe
Size

3.4MB
MD5

f2c58894de1eb8486edc2520de080c74
SHA1

914d606bb7cb101beab92ecfdacd3782e28cce71
SHA256

b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d
SHA512

2e14c5411a19a692c65e057aaadc81043c6efae70f36777feea221e17e637e17f97e9b89b797a9b8e37d5096f5d5f4ba0549d5176e94adb92b2a43fec9c0510d
SSDEEP

98304:VBo8II1RTVQhfkOBzI1BIoA4FOjfU2TE6fqWq3q:VxII1RTVQhfkSEkH4FmMWqWq3q

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	discord.com
19	discord.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2952	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 9 IoCs

defense_evasion

pid	Process
4960	taskkill.exe
3688	taskkill.exe
1968	taskkill.exe
1820	taskkill.exe
4160	taskkill.exe
2840	taskkill.exe
1408	taskkill.exe
3860	taskkill.exe
960	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4174397412-4125106315-2776226590-1000\{AF5BBBC3-930C-480C-878B-8840E7A988CA}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
2156	msedge.exe
2156	msedge.exe
1652	msedge.exe
1652	msedge.exe
3812	identity_helper.exe
3812	identity_helper.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2772	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	87
PID 3444 wrote to memory of 2772	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	87
PID 3444 wrote to memory of 3144	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	88
PID 3444 wrote to memory of 3144	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	88
PID 3444 wrote to memory of 4216	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	89
PID 3444 wrote to memory of 4216	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	89
PID 3144 wrote to memory of 3064	3144	cmd.exe	90
PID 3144 wrote to memory of 3064	3144	cmd.exe	90
PID 3144 wrote to memory of 1664	3144	cmd.exe	91
PID 3144 wrote to memory of 1664	3144	cmd.exe	91
PID 3144 wrote to memory of 4540	3144	cmd.exe	93
PID 3144 wrote to memory of 4540	3144	cmd.exe	93
PID 4216 wrote to memory of 4960	4216	cmd.exe	92
PID 4216 wrote to memory of 4960	4216	cmd.exe	92
PID 3444 wrote to memory of 1012	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	96
PID 3444 wrote to memory of 1012	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	96
PID 1012 wrote to memory of 1820	1012	cmd.exe	97
PID 1012 wrote to memory of 1820	1012	cmd.exe	97
PID 3444 wrote to memory of 3576	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	98
PID 3444 wrote to memory of 3576	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	98
PID 3576 wrote to memory of 4160	3576	cmd.exe	99
PID 3576 wrote to memory of 4160	3576	cmd.exe	99
PID 3444 wrote to memory of 392	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	100
PID 3444 wrote to memory of 392	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	100
PID 392 wrote to memory of 2840	392	cmd.exe	101
PID 392 wrote to memory of 2840	392	cmd.exe	101
PID 3444 wrote to memory of 1312	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	102
PID 3444 wrote to memory of 1312	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	102
PID 1312 wrote to memory of 3688	1312	cmd.exe	103
PID 1312 wrote to memory of 3688	1312	cmd.exe	103
PID 3444 wrote to memory of 3620	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	104
PID 3444 wrote to memory of 3620	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	104
PID 3620 wrote to memory of 1408	3620	cmd.exe	105
PID 3620 wrote to memory of 1408	3620	cmd.exe	105
PID 3444 wrote to memory of 3788	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	106
PID 3444 wrote to memory of 3788	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	106
PID 3788 wrote to memory of 2952	3788	cmd.exe	107
PID 3788 wrote to memory of 2952	3788	cmd.exe	107
PID 3444 wrote to memory of 4084	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	108
PID 3444 wrote to memory of 4084	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	108
PID 4084 wrote to memory of 3860	4084	cmd.exe	109
PID 4084 wrote to memory of 3860	4084	cmd.exe	109
PID 3444 wrote to memory of 1264	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	110
PID 3444 wrote to memory of 1264	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	110
PID 1264 wrote to memory of 960	1264	cmd.exe	111
PID 1264 wrote to memory of 960	1264	cmd.exe	111
PID 3444 wrote to memory of 2440	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	112
PID 3444 wrote to memory of 2440	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	112
PID 2440 wrote to memory of 1968	2440	cmd.exe	113
PID 2440 wrote to memory of 1968	2440	cmd.exe	113
PID 3444 wrote to memory of 2156	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	114
PID 3444 wrote to memory of 2156	3444	b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe	114
PID 2156 wrote to memory of 3404	2156	msedge.exe	115
PID 2156 wrote to memory of 3404	2156	msedge.exe	115
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116
PID 2156 wrote to memory of 4612	2156	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe
"C:\Users\Admin\AppData\Local\Temp\b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color F0
  2⤵
  PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d.exe" MD5
    3⤵
    PID:3064
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1664
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/channels/1202706036641759263/1223573334692855818
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffbc4a46f8,0x7fffbc4a4708,0x7fffbc4a4718
    3⤵
    PID:3404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
    3⤵
    PID:2292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
    3⤵
    PID:244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4144 /prefetch:8
    3⤵
    PID:596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3900 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
    3⤵
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
    3⤵
    PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,12455879423322770650,4685651040390668052,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6a53cceb7a396402c1eccd08dbe38a73

SHA1
96e06029b79791df1b1a0a7cef7508a5c44d13c4

SHA256
31c8ba2ce8a088515e4feff78968e8916c759331b7428421a990cc349a208b51

SHA512
bda381d092d0272a19350a66533ec0fac2efccfd26fc87695a8270eb3d4abec01483b31dfae75ba3f128623454d471c9e948c44df478edbdb6b5a15377637036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a451e41e51facc395053e7b74c3490d0

SHA1
c866ac24af529f0265e99bd88529da46c9ff6dcc

SHA256
cc33bfdf9c856a2e9e9aa8eeddf9723a0396fad82b0dcae7a408bb4c84fdb584

SHA512
553489450d55d7adb9c859e521d0e46961490e54c533c826adc8c546ca0b51ecda82c159801bd060a291e724355c6d4fd2ee603ff65d4a15603f34f1472664fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
17eb9db47e385afdc27d96ec9867e40a

SHA1
a688dd0b14460a85d98e8c478eaa4fc815a8f776

SHA256
1f9a48d4aa05f86d595995ca11fe4e6c520a85bc969169999bbeef141652c090

SHA512
8b5e4627f13592a8860428a4e9b9127a974272452b4a49459acc7dce36452cde64403178ff481426ae8e99f6c81d5a5c0672311515ad18bb8d07e084b41a9331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
251B

MD5
2b888d7f7f574da0a851404e2c3c3117

SHA1
4592249f049f5aed045c8acf6770e91b24278d3c

SHA256
6d914d1ddb4c5788216f5787efb5e94a9a3928e2953829857108ba0892021170

SHA512
1367659f249b3112ec96b2fba99219da9b3d3a5630fda59266108ee86029871774aa4f6a25d5c23c4190fc3825a5679bfaa6c69660756acafc6508850b7a837f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44df0bae9b29e596038204e5c881a608

SHA1
d73890bea15ea5f506c532345818dee87ce8c1b9

SHA256
4e1dadb7ef0a9d5e089f772b6fa2f3b718d6cc4a49fe3ee63db45824a88943d4

SHA512
b9f74c561a59a9db944954f7ca6b1c07f8e39ea614a37eb5576a6b89dc3153936653b8ad042533056936fffaa1510b9387f610bdd92e826f3b8de28a2d85a05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff8727cea015ca4e47c8aced202002a3

SHA1
94a79354764ebe6becd2af82973ac3d195cf3a3d

SHA256
bda2cda00e1bb0ab483744b3afc6c3ca74555e728dddf37c19573f26c55981f3

SHA512
d0293facb52e707e5869219158b143b158c43dc285abccb3308c1c214aeaeb2688e14b6dfad4fc9f1805dafe6ac0ef389be79c7d6c06a38eb39da72d5bf4307e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bdc3f93a32a9d3fbf85c5c507a8a960e

SHA1
f763fbd2ab6befc133fd112d36941fdae896241c

SHA256
21b5f11226fa3760da00917b45c4a30d70822d98502d23575c8e3bcf434d18b2

SHA512
8b0d6e26f73b938088a3cae517a53f35755ac8e644b6902be2901b662609c4672ae196d027cba447c58814f07ce97407754d352a59fce0c8ecfc8bb022c189c6

Download Submit